Following are instructions for php5, MySQL 5 database and latest lighttpd in chrooted jail under 64 bit Ubuntu Linux.

You will learn how to configure and install secure lighttpd server along with PHP5 and MySQL server version 5. Instruction mentioned below also work with 32 bit version. See original article for more information.

Great guide, but I have a couple of small problems, that you may have a solution for…

1. Even though I have made a copy of hosts and resolv.conf to /webroot/etc/ I still cant use localhost to connect to the db. Works fine with 127.0.0.1, so its not really a big problem. And I have checked the hosts file, and localhost is in it.

2. I would like to install phpMyAdmin to manage the MySQL, but since I have never installed anything in a chroot jail before, I dont know how. I assume the apt-get install phpmyadmin will do me no good, since the web-server is not where it normally should be.

THX for the guide, tested on Ubuntu 7.10 (minimal) to be a complete no-brainer to follow. Just shut down your brain and copy-paste ;-)

> I would like to install phpMyAdmin to manage the MySQL, but since I have never installed anything in a chroot jail before, I dont know how. install it under /webroot/var/www/phpmyadmin. Don’t forget to password protect phpmyadmin directory. If you are going to set large number of vhosts use /webroot/home/lighttpd/domain1.com /webroot/home/lighttpd/domain2.com directory structure.

THX for the reply vivek, it got me thinking that I could just install it with the package and the move it :) I even got i connecting and all, but there is one problem. I get the error

Cannot load mcrypt check your PHP configuration

But, mcrypt is installed and i have moved all the files that i could find with mcrypt in their name, to the same locatio under /webroot, but with no effect. Anyone got a suggestion. I am using the phpmyadmin so apperantly its not that bad, but it would be nice not to have errors in the setup ;)

hmm.. after more research i can sync it but strange,mysql shows * Checking for corrupt, not cleanly closed and upgrade needing tables. every time i restart it. and I can’t install wordpress, phpmyadmin etc. the error said the database server is not responsive or cannot make connection. But, I can connect just fine with above test and I can connect too from command line. please help

I thought one of the main advantages of chrooting or jailing a server is that any attacker who compromises the server won’t be able to compile malicious code, due to not having the necessary libraries.

So, if you copy all of /lib64 and /usr/lib into the jail, including /lib64/gcc for instance, haven’t you sort of given an attacker, if not the key to the jail, then some equipment that can be used to create a key?

Noop, we just copied libs no headers or compiler itself. Also, in order to upload or download file most attacker depends upon tools like wget or others. Under jail none of the binaries or headers available.

You can selectively copy files /lib64 such as resolvers by tracing used libs via ldd command.

Copying /lib and /lib64 certainly seems quicker than running ldd for every executable I want to bring into the jail. So why is the ldd approach the only one I’ve seen in ‘apache security’ and the like? Any thoughts? Maybe just to keep chroot size down?

Thanks for the great tutorial, but I ran into a few pains in the arse. For some reason, the test file fails when trying to open both the passwd and hosts file. I’ve even chmodded them to 777 with no avail.

This little issue screwed up my wordpress install, which I was able to work around (as far as I can tell, anyways) by changing the reference in the config file from “localhost” to 127.0.0.1, but I’m not sure if this will adversely affect me anywhere else down the line.

@andy: I assume the reference you’re talking about is the database server. I’ve come across the fact that you can not connect to mysql server via tcp/ip using the name “localhost”, you have to use 127.0.0.1 (which would be equivalent in most other contexts). Localhost somehow seems to force a unix socket connection, which in this context would not work, as your mysql server is not in the chroot. Now you could transfer your db server inside the chroot, but I don’t think it makes much sense. Probably better to put it in a different chroot, or a different server altogether, you’ll just need to change the IP address… I hope that makes sense :o)

Some things I’ve picked up after having followed this tutorial… If you want to use some OpenSSL features in PHP, you must recreate /dev/random and /dev/urandom in /webroot/dev/* using the mknod command. Also to debug scripts/programs in a chroot environment use the strace utility to find out dependencies.